ARP restricted forwarding configuration example
Network requirements
As shown in Figure 109, configure ARP restricted forwarding on Switch B where ARP detection is configured so that port isolation configured on Switch B can take effect for broadcast ARP requests.
Figure 109: Network diagram
Configuration procedure
Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 105. (Details not shown.)
Configure DHCP address pool 0 on Switch A as a DHCP server.
<SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
Configure the DHCP client on Hosts A and B. (Details not shown.)
Configure Switch B.
# Enable DHCP snooping, and configure Ethernet 1/0/3 as a DHCP-trusted port.
<SwitchB> system-view [SwitchB] dhcp-snooping [SwitchB] interface ethernet 1/0/3 [SwitchB-Ethernet1/0/3] dhcp-snooping trust [SwitchB-Ethernet1/0/3] quit
# Enable ARP detection.
[SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable
# Configure Ethernet 1/0/3 as an ARP-trusted port.
[SwitchB-vlan10] interface ethernet 1/0/3 [SwitchB-Ethernet1/0/3] arp detection trust [SwitchB-Ethernet1/0/3] quit
# Configure a static IP source guard binding entry on interface Ethernet 1/0/2.
[SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [SwitchB-Ethernet1/0/2] quit
# Enable the checking of the MAC addresses and IP addresses of ARP packets.
[SwitchB] arp detection validate dst-mac ip src-mac
# Configure port isolation.
[SwitchB] interface ethernet 1/0/1 [SwitchB-Ethernet1/0/1] port-isolate enable [SwitchB-Ethernet1/0/1] quit [SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] port-isolate enable [SwitchB-Ethernet1/0/2] quit
After the preceding configurations are complete, ARP packets received on interfaces Ethernet 1/0/1 and Ethernet 1/0/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries. However, ARP broadcast requests sent from Host A can pass the check on Switch B and reach Host B. Port isolation fails.
# Configure ARP restricted forwarding.
[SwitchB] vlan 10 [SwitchB-vlan10] arp restricted-forwarding enable [SwitchB-vlan10] quit
After the configuration, Switch B forwards ARP broadcast requests from Host A to Switch A through the trusted port Ethernet 1/0/3, and thus Host B cannot receive such packets. Port isolation works normally.